Summary: | <dev-python/django-(1.4.18,1.6.10,1.7.3): multiple vulnerabilities (CVE-2015-{0219,0220,0221,0222}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jlec, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.djangoproject.com/weblog/2015/jan/13/security/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 541704 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2015-01-14 11:56:02 UTC
CVE-2015-0222 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0222): ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries. CVE-2015-0221 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0221): The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. CVE-2015-0220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0220): The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL. CVE-2015-0219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0219): Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. + 28 Feb 2015; Justin Lecher <jlec@gentoo.org> package.mask: + Mask dev-python/django-1.5* for unfixed security issues + (CVE-2015-{0219,0220,0221,0222}), #536586 + *django-1.4.19 (28 Feb 2015) +*django-1.6.10 (28 Feb 2015) + + 28 Feb 2015; Justin Lecher <jlec@gentoo.org> +django-1.4.19.ebuild, + +django-1.6.10.ebuild, +files/django-1.4.19-bashcomp.patch, + +files/django-1.4.19-test.patch, +files/django-1.6.10-bashcomp.patch, + +files/django-1.6.10-test.patch, -django-1.7.4.ebuild, -django-1.7.ebuild, + django-1.7.5.ebuild, django-9999.ebuild: + Version BUmp and drop old for CVE-2015-{0219,0220,0221,0222}, #536586; add + correct dependencies for tests, Use optfeature instead of harddepened on + imaging, #473228 + @arches please stable, testsuite included dev-python/django-1.4.19 dev-python/django-1.6.10 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Arches, Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No All vulnerable versions dropped. (In reply to Justin Lecher from comment #9) > All vulnerable versions dropped. Thanks |